What is Cloud Storage Security?
Dropbox is a collaboration platform that allows users to share and contribute to files. As with any file-sharing system, it is important to ensure Dropbox security by making sure files are only accessible to authorized individuals and prevent their exposure or corruption.
Dropbox maintains a secure environment, with encryption and data protection during transfer, processing, and storage. However, the use of Dropbox still raises serious security concerns for organizations:
- When users share sensitive data via the basic version of Dropbox, without the knowledge or approval of IT staff, this can result in data leaks.
- If you use Dropbox Business officially within your organization, you must still take measures to safeguard organizational data.
Dropbox Business, which provides advanced security features, additional visibility and control required by IT administrators. We’ll contrast the security capabilities of Dropbox basic vs. Dropbox for Business, and provide best practices for securing your data.
This is part of a series of articles about cloud storage security.
In this article
Dropbox Security Concerns
Here are some of the main security concerns facing organizations whose users make use of Dropbox:
- Social engineering—the most dangerous vulnerabilities are on the user side of the Dropbox environment. Users often face phishing and social engineering attacks designed to trick people into giving up their credentials and access to their accounts. When attackers successfully compromise Dropbox credentials, they gain access to all the data accessible by that user account.
- Data theft—most problems with Dropbox stem from a lack of oversight. Business owners do not know which devices have Dropbox installed, and don’t have control over which employee devices can sync with a work PC. Users can use Dropbox to sync data between corporate and personal devices using Dropbox, with no authorization required. This greatly increases the chance of data being stolen or shared with the wrong party.
- Data loss—file movement between endpoints and lack of visibility into file versions can cause Dropbox to incorrectly modify files on employee devices. Due to this lack of visibility, if an endpoint is corrupted or lost, it may not be possible to recover the latest or recent versions of a file.
- Legal exposure—allowing employees to use Dropbox can lead to large-scale data breaches. Dropbox gives employees the freedom to share and permanently delete data. This could result in permanent loss of sensitive business documents, loss of data belonging to an organization’s customers, or sharing of sensitive information, potentially violating privacy agreements with customers and third parties.
- Non-compliance—many regulations and industry standards require that files be kept for a certain period of time and only be made accessible to certain users. Dropbox has very lenient file retention and file access controls, which put companies at risk of compliance violations.
- Accountability—Dropbox does not provide detailed reporting and alerting of system-level activity. This means that it is difficult to monitor changes to user accounts, passwords, and other objects. If a malicious administrator gains access to the system, they could perform major configuration changes with no way to alert other administrators of these changes.
- No audit trail—Dropbox doesn’t track who has access to your files and which device at what time. This can be a challenge when trying to identify the events that led to the creation, modification, or deletion of a file in a data security incident.
Many of these issues can be mitigated by using Dropbox Business. The security features provided in these editions are described in more detail below.
Security Features in Consumer Editions of Dropbox
Despite the security risks inherent in Dropbox, the basic edition of the solution does provide robust security measures. Let’s review the key security layers and controls.
Dropbox Account Security
Dropbox supports several features to protect accounts and prevent unwanted third parties from accessing sensitive files:
- Password-protected login—Dropbox periodically changes and notifies users to change their account password. It provides Dropbox Passwords, a password management tool that helps users centrally store all account logins, security codes and payment cards, and sync them across devices.
- Breach monitoring—users of Dropbox Passwords can be notified when an account associated with their email address is exposed on the web. They can then reset their password to avoid attackers from accessing that account.
- Multi-factor authentication (MFA)—Dropbox uses MFA as an extra layer of security for accounts. Users can connect a phone, or a mobile application like Google Authenticator, to receive a 6-digit security code each time they log in.
Dropbox Link Security
Dropbox provides a very convenient way to share files—users can create a link to a file or folder and share it with others, allowing them to access and download the files. Public Dropbox links look like this:
Dropbox provides two security measures for public links:
- Security by obscurity—links are unique and completely random, making it very difficult for attackers to guess a link unless shared with them by the user.
- Links can be disabled—after sharing a link, a user can disable it, so others who received the link can no longer access the referenced files. Therefore, a good security practice for Dropbox users is to ask recipients if they received the files, and then disable the link to prevent others from accessing them.
Dropbox File Security
Dropbox has two ways to secure data at the file level:
- Built-in encryption—Dropbox uses the Advanced Encryption Standard (AES), with state of the art 256-bit encryption. Once a file is transferred to Dropbox, it is automatically encrypted and is only encrypted when accessed by an authorized Dropbox user.
- Dropbox Restore and Recovery—if users accidentally delete a file or save a new version of a file and want to revert to a previous state, they can restore it through Dropbox. Dropbox keeps copies of deleted files and previous versions for 30 days—this can be extended if you buy Dropbox Professional or Dropbox Business.
Security Features in Dropbox Business
Dropbox’s administrative visibility and control features empower end users and IT professionals to secure and manage data. Dropbox provides everything required to work with data in one place, including tools, collaborators, and content. Beyond securing storage, Dropbox offers ways to optimize existing workflows seamlessly.
Dropbox offers the following features to enable visibility:
- Alerts and notifications—Dropbox Enterprise allows admins to receive real-time alerts of any suspicious activity, security risks, and data leaks detected.
- External sharing report and insights page—Dropbox provides additional visibility by allowing admins to create reports based on the external sharing or insights page. These reports list all folders and files the team has shared externally, including shared links. The administrator console has an “external sharing” page that lets you view and filter the folders and files shared out-of-team, including file type, link settings, and who shared.
- File and folder sharing controls—file sharing settings allow the team admin to control how team members access and share content. You can set default expirations and password restrictions at the team level to reduce the risk of data loss. Users are not responsible for setting restrictions.
- Recovery and version control—Dropbox Business allows you to restore deleted Dropbox Paper documents. You can also recover older versions of your Paper docs and files to track all changes to important data.
Maintaining data security is crucial to protecting business-critical assets and sensitive information like personally identifiable information (PII) and intellectual property (IP). Data security teams can leverage Dropbox’s fine-grained content controls to protect, monitor, and manage your organization’s content.
Dropbox provides the following permissions and security controls:
- Shared file permissions—the team members that own shared files can disable access permissions for other users, including disabling comments.
- Shared folder permissions—the owners of shared folders can remove users’ access to their folders or change read and edit permissions. They can also transfer ownership of a folder.
- Passwords for shared links—you can protect shared links with owner-defined passwords. The access control layer checks the passwords before transmitting any folder or file. It also verifies other requirements based on the group, team, and folder access control lists (ACLs).
- Shared link expiration—users can set the expiration for shared links when providing temporary access to a folder or file. Admins can use sharing controls to set a default expiration for specific links for enhanced security rather than giving users the option.
- Granular sharing and access controls—admins use sharing controls to manage group memberships and permissions at the top or sub-folder level. These controls ensure that groups and users inside or outside the organization can only access and share specific files and folders.
- Team folder management—admins can see all team folders from a centralized pane, where they can also customize file-sharing policies to prevent the wrongful sharing of sensitive content.
- Enterprise mobility management (EMM)—Dropbox integrates with external EMM solutions to allow Dropbox Business admins to control how users access Dropbox from mobile and remote devices. Team administrators can restrict the use of mobile applications for a Dropbox Enterprise account only to allow access from managed devices. EMM also helps provide visibility into application usage (i.e., access locations, available storage, etc.) and remotely wipe lost and stolen devices.
- Device approval—Dropbox allows Dropbox Business admins (on Enterprise and Advanced plans) to limit the number of devices that users can sync to Dropbox. You can choose whether users or admins manage approvals. You can also make an exception list for unrestricted users (where the device limit doesn’t apply). Device approvals don’t cover the Paper mobile application.
- Two-step verification requirements—you can create a requirement for two-step verification that affects specific team members or the whole team. You can also enforce other multi-factor authentication (MFA) requirements via the SSO implementation for your team.
How to Improve Your Organization’s Dropbox Security
If your organization’s users use Dropbox for backups and file sharing, it’s best to think of Dropbox as a simple file sync system. Consider the risks of potential failure and unauthorized access, and take steps to protect sensitive files and data. Here are the steps users can take to improve security:
- Set up email notifications—in addition to two-factor authentication, Dropbox makes it possible to receive emails every time there is a login to an account, new applications are granted access, or a large number of files are deleted.
- Enable selective sync—Dropbox allows users to choose which files to sync with their cloud storage account. It’s easy to automatically sync everything on your device, but by selectively choosing files and folders, users can reduce risks and potential damage.
- Disconnect devices and apps—if a device or app doesn’t need access to a Dropbox account, it should be disconnected. By doing this, users will have more control over which files are synced to their account.
- Encrypt Dropbox files before uploading—there are both free and paid software solutions that can enable users to independently encrypt files before sharing them with Dropbox. People wanting to access the files will need to sign into the same encryption service.
- Security education—all employees must receive basic training in security risks. They need to understand security issues created by file sharing tools and understand the organization’s policies and requirements.